An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Monthly Archives: October 2010

Oct. 27, 2010. The Federal Trade Commission today posted a letter to Google’s counsel announcing that it is ending its inquiry into Google’s collection of information sent over unsecured wireless networks. The inquiry began after Google revealed in May 2010 that its Street View cars had been collecting more than just WiFi location information such as SSID information and MAC addresses. Instead, Google had also been capturing “payload” data sent over unsecured wireless networks. The May announcement came after the data protection authority in Hamburg, Germany, requested an audit of the Street View data.

Last week, on October 22, 2010 Google announced on its U.S. website that it has taken steps to improve its privacy practices, including appointing a new director of privacy to oversee both the engineering and product management groups, enhancing its privacy training, and implementing new internal privacy compliance practices. This announcement, together with Google’s promise to delete the payload data as soon as possible, and assurance that it will not use the data in any product or service, appears to have appeased the FTC. The FTC’s letter did not contain any determination about whether Google’s actions did or did not breach any data privacy laws, nor did it require any remedial action or fines. Australia, in contrast, had concluded in June that Google violated Australia’s privacy laws, and required Google to publicly apologize, to conduct a Privacy Impact Assessment, and regularly consult with the Australian office about data collection.

Google also acknowledged that – contrary to its earlier postings – “in some instances entire emails and URLs were captured, as well as passwords.” While Google’s October 22 posting satisfied the FTC, this revelation caused the U.K. to announce that is re-opening its investigation into Google’s privacy practices. The U.K. had closed its investigation in July after reviewing sample payload data, concluding that personal data, emails and passwords were not collected.

The Federal Trade Commission announced this week that it has created a guide to help attorneys and victim advocates provide legal assistance to victims of identity theft.

The guide includes step-by-step instructions for helping pro bono clients recover from identity theft and incorporates victims’ rights under various federal statutes. It also includes information about recovery from less common forms of identity theft, such as tax fraud, federal student loan fraud and medical ID theft. The guide includes sample dispute letters, checklists, affidavits, federal statutes and regulations, consumer education material, and links to online resources.

Canada’s Office of the Privacy Commissioner (“OPC”) conducted an investigation of Google, including examining the payload data collected from Canadian residents. OPC examiners found that Google captured personal information, such as email addresses, complete email messages, addresses and phone numbers, and included sensitive personal information such as medical information. OPC also found that the error was caused by a design engineer’s “careless error” by failing to follow Google’s design review procedures.

OPC found that by inadvertently collecting the unencrypted Wi-Fi data, Google violated PIPEDA Principles because: (1) it did not have consent of the individuals from whom the personal information was collected (Principle 4.3); (2) it did not identify a purpose for the collection of the data (Principle 4.2); and (3) the collection was not limited to necessary data (Principle 4.4).

As a result of the investigation, Commissioner Stoddart recommended that: (1) Google reexamine and improve employee privacy training; (2) ensure that it has effective procedures to protect privacy and controls to ensure they are followed prior to the launch of any product; (3) designate individuals who are accountable for compliance with Canadian privacy law; and (4) delete the Canadian payload data to the extent it is allowed to do so under Canadian and U.S. laws. The Preliminary Letter of Findings gives Google until February 1, 2011 to comply with these recommendations.

A class action lawsuit was filed on September 16, 2010, alleging that the lead defendant, Ringleader Digital, Inc., and several website operators utilizing Ringleader Digital’s technology have violated the plaintiffs’ privacy rights by illegally tracking individual’s mobile internet activity without their permission. This appears to be the first class action lawsuit involving tracking of mobile devices’ internet activity and is very similar to the series of class action lawsuits filed over the last few months focusing on “Flash cookies" (including Valdez v. Quantcast Corp., White v. Clearspring Technologies, Inc. and La Court v. Specific Media, Inc.), as covered by the Wall Street Journal and the New York Times. (The Flash cookie cases were also covered in the Privacy and Information Security Committee’s July-August and September Updates, materials for which are available to committee members here)

A main point of contention is Ringleader Digital’s use of HTML5.HTML5 is a next-generation open standard currently under development by the World Wide Web Consortium, but it has already been adopted by companies such as Apple instead of Adobe Flash on its iPhone, iPod and iPad products.The HTML5 standard provides website operators the ability to locally store information on a user’s computer or mobile device.The local storage feature provides benefits, such as allowing users to use website features offline, but also allows a website operator to implement “cookie” functionality because large amounts of data regarding a user’s internet history can be stored.

The complaint alleges that Ringleader Digital developed technology, known as Media Stamp™, utilizing HTML5 local storage databases to create the mobile equivalent of a third-party online cookie.The complaint also alleges that the Media Stamp technology assigns users a unique identifying number and allows Ringleader Digital, advertisers, ad agencies and website publishers to create a local HTML5 database to track a mobile device’s internet activities over multiple websites.

The lawsuit relies on similar legal bases as the Flash cookie lawsuits.The main thrust of all claims is that Ringleader Digital and the other defendants violated privacy laws by tracking a mobile device’s internet activity with no disclosure that it was doing so and without authorization.The plaintiffs also allege that the tracking databases created by the defendants would be recreated even after the plaintiffs deliberately tried to remove them, which is similar to the “re-spawning” or “zombie” aspect of Flash cookies.

In a long-awaited decision, Paul v. Providence Health System– Oregon (Oct. 6, 2010), the Oregon Court of Appeals ("Court") unanimously affirmed the dismissal of a class action arising out of a third party’s alleged theft of hospital patients’ personal information. The stolen records contained unencrypted personal, medical, and financial information for an estimated 365,000 patients. Patients, whose information had allegedly been stolen from a hospital employee, sued the hospital for negligently failing to safeguard the records and violating Oregon’s Unlawful Trade Practices Act ("UTPA"). The patients, who asked to represent a class of all individuals affected by the alleged theft, sought injunctive relief and damages for emotional distress and for past and future costs of credit-monitoring and other services to protect against identity theft.

Plaintiffs’ negligence claims were based on per se and common law negligence. As to the first negligence claim, the plaintiffs alleged that the hospital failed to comply with federal and Oregon state laws providing for the protection of medical information. With regard to the common law negligence claim, plaintiffs alleged that the defendant was negligent "in failing to safeguard the data, in failing to encrypt it, in allowing its agent or employee to store such data in his or her car, and in failing to put in place policies that would protect such data from theft and disclosure." Further, the plaintiffs claimed that the defendant violated Oregon’s "UTPA" by (1) "representing that all information gathered to sell its services or goods would be safeguarded and kept confidential when it knew that it lacked adequate means to safeguard such information" and (2) "representing that the business of sale of services and goods would include privacy and confidentiality when it knew that the transactions were not confidential due to its inadequate data protection program." Plaintiffs did not allege that they had been victims of fraud or identity theft as a result of the stolen information or that the stolen information had otherwise been compromised.

The trial court dismissed the patients’ claims for failure to state a claim on which relief could be granted, and, under a unique provision of Oregon law, determined that a class action could not be maintained because the hospital had provided a timely and appropriate remedy to patients allegedly affected by the theft. On appeal, the Court agreed that the plaintiffs had not alleged a legal basis for the hospital’s liability, finding that the trial court was correct to dismiss the plaintiffs’ action and the hospital did not owe a special duty to protect patients’ records from theft other than the duty to exercise reasonable care to prevent economic loss or emotional distress to the plaintiffs. Because the Court dismissed the action for failing to state a claim on which relief could be granted, the Court did not reach the question of whether the trial court properly determined that the case could not proceed as a class action. The Oregon Court of Appeals opinion is available here.

Thank you to Douglas Ross of Davis Wright Tremaine LLP and a member of the ABA Privacy and Information Security Committee for helping create this post.

On October 8, 2010, Representatives Barton (R-TX) and Markey (D-MA), co-chairs of the Congressional Privacy Caucus, released information that their Congressional offices had collected regarding specific entities’ online behavioral advertising practices. In August 2010, Representatives Barton and Markey had sent letters to a number of companies requesting information about online behavioral tracking methods. The letters, targeting telecommunications providers, Internet search engines, and social networking sites, such as Yahoo, Comcast, AOL, MSNBC, MySpace, Verizon Wireless, About.com, CareerBuilder, and MSN.com, asked entities to provide information regarding collection of personal information, relationships with third-party data analytics firms, how collected information is used to provide targeted advertising or marketing to consumers, what factors entities use to track or target consumers, and how specific types of technologies, such as Flash cookies, are used.

In their responses, companies defended behavioral advertising practices, noting that privacy policies explain data collection practices and allow users to opt out of data collection or to receive targeted advertising based on online activity. Further, many companies maintained that behavioral advertising is important to consumers because it allows entities to provide free content that is valuable to consumers. Representative Markey and Barton noted that the responses raise a number of concerns, including whether "consumers are able to effectively shield their personal Internet habits and private information from the prying eyes of online data gathers" and concerns over "complicated and laborious" privacy policies that are hard for consumers to understand. The entities’ responses are available on Representative Markey’s congressional website.

In the past year, Congress has focused heavily on personal information privacy practices, including holding numerous hearings to discuss privacy practices and legislation. Privacy legislation has been introduced in both the House or Representatives and the Senate. Pending bills include S. 3742, recently introduced by Senators Pryor (D-AR) and Rockefeller (D-WV); H.R. 5777, introduced by Representative Rush (D-IL); and H.R. 2221, which passed the House in December 2009. Provisions of these bills focus on security standards for personal information, data accuracy, and, in some instances, information collection, sharing, and use practices.

The European Union Commission has decided to refer the United Kingdom to the European Union Court of Justice for not fully implementing rules laid down in both Directive 2002/58/EC (the “ePrivacy Directive”) and Directive 95/46/EC (the “Data Protection Directive”). Under European Union law, a Directive is not directly enforceable, but must be implemented by each Member State in its national legislation. A directive is binding, however, as to the result to be achieved.

British Telecom admitted in 2008 that it had carried out in 2006 and 2007 secret testing of Webwise, a behavioral advertising technology developed by Phorm. Webwise tracked and constantly analyzed users’ Internet activity to determine their interests in order to provide them with targeted advertising.

Users complained about what they thought were unlawful interceptions of communications. They complained to the Information Commissioner’s Office (ICO), which is UK’s independent authority on personal data protection, and to the police.

The EU Commission inquired into the UK government action to respond to these complaints. It grew concerned that data protection EU laws protecting the confidentiality of communications by prohibiting interception and surveillance without users’ consent had not been adequately implemented by the UK.

Recital 24 of the ePrivacy Directive states that the use of devices which can be used to gain access and store information located on terminal equipment of users of electronic communications networks is allowed only “for legitimate purposes, with the knowledge of the users concerned.”

Article 5(1) of the ePrivacy Directive requires Member States to ensure, through national legislation, the confidentiality of electronic communications. They must prohibit listening, tapping, storage or other kinds of interception or surveillance of communications, unless the users consent to it.

Under the UK Regulation of Investigatory Powers Act of 2000 (RIPA), it is a crime to intercept communications intentionally. It is legal, however, to intercept a communication if the interceptor has “reasonable grounds for believing” that consent to intercepting has been given.

RIPA thus does not comply, in view of the Commission, with the definition of “data subject’s consent,” set out by article 2(h) of the Data Protection Directive as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Article 7(a) of the Data Protection Directive states that the data subject must have given his consent “unambiguously.”

The Commission also considered that UK law does not comply with EU rules on enforcement by supervisory authorities, as the UK does not have an independent national supervisory authority supervising the interception of communications.

The Commission has the power to commence an infringement proceeding against a Member State which the Commission believes infringes EU law. The Commission opened an infringement proceeding against the UK in April 2009, by sending a letter of formal notice, which is the first stage of an infringement proceeding. The Commission, not satisfied by UK response to the letter of formal notice, moved to the second stage of an infringement proceeding in October 2009 by announcing it would send the UK a reasoned opinion on the matter.

The Commission found the reply to the reasoned opinion unsatisfactory, and referred the case to the Court of Justice this last September. If the Court of Justice establishes an infringement, the UK will be required to take the necessary measures to comply with the judgment.

It will be interesting to follow how the EU Court of Justice will decide this case. Could it be possible that online behavioral advertising programs would be considered unlawful interception of communication, if users do not consent to it?

The issue of Internet users’ consent is hotly debated right now in the UK. Should users consent to cookies being stored their computers? Directive 2009/136/EC, nicknamed the “cookie directive,” entered into force on December 19, 2009, and must be transposed by Member States by May 25, 2011. Recital 66 of the Directive states that “users must be provided with clear and comprehensive information when engaging in any activity which could result in storing or gaining of access [to their equipment].” The new article 5(3) of the ePrivacy Directive, as amended by the “cookie directive,” requires a user’s consent before storing cookies, after the user has been provided “with clear and comprehensive information.” How Member States will implement this requirement, and how the European Court of Justice will rule in the Phorm case, will be watched closely in the next months by online behavioral marketers.